FOR518: Mac Forensic Analysis

Mon, September 12 - Sat, September 17, 2016

With so much focus on Windows forensics, the Mac class is really necessary.

Paul Sieberth, Tulane University

Digital forensic investigators have traditionally dealt with Windows machines, but what if they find themselves in front of a new Apple Mac or iDevice? The increasing popularity of Apple devices can be seen everywhere, from coffee shops to corporate boardrooms, yet most investigators are familiar with Windows-only machines.

Times and trends change and forensic investigators and analysts need to change with them. The new FOR518: Mac Forensic Analysis course provides the tools and techniques necessary to take on any Mac case without hesitation. The intense hands-on forensic analysis skills taught in the course will enable Windows-based investigators to broaden their analysis capabilities and have the confidence and knowledge to comfortably analyze any Mac or iOS system.

Forensicate Differently!

The FOR518: Mac Forensic Analysis Course will teach you:

Mac Fundamentals: How to analyze and parse the Hierarchical File System (HFS+) file system by hand and recognize the specific domains of the logical file system and Mac-specific file types.

User Activity: How to understand and profile users through their data files and preference configurations.

Advanced Analysis and Correlation: How to determine how a system has been used or compromised by using the system and user data files in correlation with system log files.

Mac Technologies: How to understand and analyze many Mac-specific technologies, including Time Machine, Spotlight, iCloud, Versions, FileVault, AirDrop, and FaceTime.

FOR518: Mac Forensic Analysis aims to form a well-rounded investigator by introducing Mac forensics into a Windows-based forensics world. This course focuses on topics such as the HFS+ file system, Mac specific data files, tracking user activity, system configuration, analysis and correlation of Mac logs, Mac applications, and Mac exclusive technologies. A computer forensic analyst who successfully completes the course will have the skills needed to take on a Mac forensics case.

For multi-course live training events, there will be a set up time from 8:00-9:00am on the first day only to make sure that computers are configured correctly to make the most of class time. All students are strongly encouraged to attend.

Course Syllabus

FOR518.1: Mac Essentials and the HFS+ File System

Overview

This section introduces the student to Mac system fundamentals such as acquisition, the Hierarchical File System (HFS+), timestamps, and logical file system structure. Acquisition fundamentals are the same with Mac systems, but there are a few Mac-specific tips and tricks that can be used to successfully and easily collect Mac systems for analysis. The building blocks of Mac Forensics start with a thorough understanding of the HFS+. Utilizing a hex editor, the student will learn the basic principles of the primary file system implemented on Mac OS X systems. Students comfortable with Windows forensic analysis can easily learn the slight differences on a Mac system: the data are the same, only the format differs.

Exercises

Exercise Setup

Mac Incident Response

Disks and Partitions

HFS+

CPE/CMU Credits: 6

Topics

Mac Fundamentals

History

Mac Systems & Versions

Mac Analysis in a Windows World

Mac Acquisition

Acquisition Types

Acquisition Tools

Tips & Tricks

Incident Response

Gathering Volatile Data

Mac IR Tools and Commands

HFS+ File System

Disk & Volumes

Partition Schemes

Boot Camp

FileVault

Volume Header

B-Trees

Catalog File

Extents Overflow File

Allocation File

Attributes File

Startup File

Link Files

Journal

Volumes

Disk Images (DMGs)

Sparse Bundles & Sparse Disk Images

FileVault

Mac Basics

Timestamp Formats

OS X File System Domains

User Domain

Local Domain

System Domain

Network Domain

SQLite Databases

Property List Files

FOR518.2: User Domain File Analysis

Overview

The logical Mac file system is made up of four domains; User, Local, System, and Network. The User Domain contains most of the user-related items of forensic interest. This domain consists of user preferences and configurations, e-mail, Internet history, and user-specific application data. This section contains a wide array of information that can be used to profile and understand how individuals use their computers.

Exercises

User Account Data and Preferences

Safari

Apple Mail

Mac Applications

CPE/CMU Credits: 6

Topics

User Home Directory

Preferences

Caches

Sandbox Containers

User Account Information

Last Logon

Account Data

Password Shadow

Keychains

User Autoruns

User Data Analysis

Bash History

Downloads

File Quarantine

Recent Files, Folders, Servers, Applications

SSH Known Hosts

Printing

Trash

Saved Application State

OS X GUI Preferences

User Logs

Bluetooth

Internet & E-mail

Safari

Preferences

Downloads

Internet History

Cache

Last State

Cookies

Apple Mail

E-mail Accounts

Messages

Attachments

Instant Messaging

iChat, Messages, & FaceTime

IM Preferences

Recent Chats

Chat Logs

File Transfers

Native Mac Applications

iCal and Calendar

Address Book & Contacts

iTunes

iPhoto

iWork: Numbers, Keynote, and Pages

Stickies

Spotlight

AirDrop

Screen Sharing

Microsoft Office

FOR518.3: System and Local Domain File Analysis

Overview

The System and Local Domains contain system-specific information such as application installation, system settings and preferences, and system logs. This sections details basic system information, GUI preferences, and system application data. A basic analysis of system logs can give a good understanding of how a system was used . . . or abused.

Timeline analysis tells the story of how the system was used. Each entry in a log file has a specific meaning and may be able to tell how the user interacted with the computer. The log entries can be correlated with other data found on the system to create an in-depth timeline that can be used to solve cases quickly and efficiently. Analysis tools and techniques will be used to correlate the data and help the student put the story back together in a coherent and meaningful way.

Exercises

System Data and Preferences

Log Analysis

Timeline Analysis and Data Correlation

CPE/CMU Credits: 6

Topics

System Information

System Version

System Installation

Time Zone Settings

Network Information

Deleted User Accounts

System Applications

Application Bundles

Mach-O Executables

System Autoruns

Firewall Settings

Screen Sharing

Remote Management

File Sharing

Remote Login

Printing

Bluetooth

Software Update

Kernel Extensions

Log Analysis

Log Locations

Log Analysis Tools

Log Recovery

Apple System Logs

BSM Audit Logs

Secure.log

System.log

Kernel.log

Other System Logs

Timeline Analysis & Correlation

Temporal Context

Network Analysis

User Logins/Logouts

Temporal Modifications

Software Updates

User Activity

Volume Activity

Suspicious Activity

System Information & State

Backup Activity

Locational Information

FOR518.4: Advanced Analysis Topics

Overview

Mac systems implement some technologies that are available only to those with Mac devices. These include data backup with Time Machine, Versions, and iCloud; extensive file metadata with Extended Attributes and Spotlight; and disk encryption with FileVault. Other advanced topics include data hidden in encrypted containers, Mac intrusion and malware analysis, Mac Server, and Mac memory analysis.

Exercises

Time Machine & Spotlight Analysis

Password Cracking & Encrypted Containers

iCloud & Document Versions

Memory Analysis

CPE/CMU Credits: 6

Topics

Extended Attributes

Extracting and Viewing Extended Attributes

File System Events Store Database

Time Machine

Backup Settings

Backup Volumes

Snapshot Analysis

Local Snapshots

Encrypted Backups

Mounting & Analysis

Spotlight

Spotlight Settings

Spotlight Analysis

Cracking Passwords & Encrypted Containers

Password Shadow Files

Cracking Software

Keychains

FileVault

Encrypted Volumes & Disk Images

iCloud

Synced Accounts

Mobile Documents

Synced Preferences

Logs

Photo Stream

Document Versions

Versions Metadata

Versions Database

Generations Files

ChunkStorage Storage Format

Malware & Antivirus

Intrusion Analysis

Java Cache & IDX Files

File Quarantine

XProtect

Gatekeeper

Memory Acquisition & Analysis

Acquisition Tools

Analysis Tools

Portable OS X Artifacts

FAT Formatted Drives

DS_store Files

Mac OS X Server

Server Settings

Server Data

File Shares

Server Logs

FOR518.5: iOS Forensics

Overview

From iPods to iPhones to iPads, it seems everyone has at least one of these devices. Apple iDevices are seen in the hands of millions of people. Much of what goes on in our lives is often stored on them. Forensic analysis of these iOS devices can provide an investigator with an incredible amount of information. Data on these iOS devices will be explored to teach the student what key files exist on them and what advanced analysis techniques can be used to exploit them for investigations.

Additional Information

Laptop Required

It is critical that you follow the pre-class setup guide for your Mac found here: https://www.sans.org/security-resources/for518-mac-system-setup-guide-v1.4.pdf This pre-class Mac system setup guide is crucial to follow prior to attending class the first day. The guide is a detailed step-by-step walk through of a variety of downloads and configuration steps needed to prep your system for an in-depth and exciting week of Mac forensics. Please follow all of the steps correctly otherwise your enjoyment of the class could be impacted. We recommend setting up your system at home as hotel internet might not be adequate to finalize the setup prior to class. Please do not wait until the night before class to follow the setup guide.

A properly configured Mac system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

Press & Reviews

"Really excellent course. Fantastic resource in the classroom material. Forensic challenge the last day was very fun" - Anonymous

"Best Mac class anywhere." - Eric Koebelen, Incident Response US

"It was very interesting to learn that certain 'forensic' tools could report data as being encrypted even though one could still get other data." - Gary Titus, Stroz Friedberg LLC

"Best course I know about on Mac Forensic. Like the use of mostly 'ghetto' tools." - Anonymous

"Solid background for investigations new to Mac." - Eric Mak, Google

"Best of any course I've ever taken. I love the idea of being able to bring home and review." - Eric Koebelen, Incident Response US

"The depth of time exercise was outstanding. One can tell the amount of work that went into it." - Gary Titus, Stroz Friedberg LLC

"Wow. Sarah is awesome." - Anonymous

"With so much focus on Windows forensics, the Mac class is really necessary." - Paul Sieberth, Tulane University

"I have not encountered a Mac class this in-depth that covers the file structure so well." - Craig Goldsmith, OCSD

"The most comprehensive Mac class I've taken." - Daniel Mills, NASA

"This is the most in-depth Mac class I have attended." - Craig Goldsmith OCSD

Author Statement

This course is designed to allow an analyst comfortable in Windows-based forensics to perform just as well on the Mac. The Mac market share is an ever increasing and popular platform for many companies and government entities.

I believe a well-rounded forensic analyst is an extremely well-prepared and employable individual in a Windows forensics world. Windows analysis is the base education in the competitive field of digital forensics. Any additional skills you can acquire can set you apart from the crowd, whether it is Mac, mobile, memory, or malware analysis.

Mac forensics is truly a passion of mine that I genuinely want to share with the forensics community. While you may not work on a Mac investigation every day, the tools and techniques you learn in this course will help you with other investigations including Windows, Linux, and mobile. -Sarah Edwards